An Insight into the Colorado Privacy Act & its Draft Rules!
Updated: Mar 16
Colorado Governor Jared Polis signed the Colorado Privacy Act (the “CPA”) into law on July 8, 2021, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law to protect its residents. The CPA will go into effect on July 1, 2023. The CPA will apply to legal entities conducting business in Colorado or delivering products or services targeted to Colorado residents that either (1) control or process the personal data of 100,000 or more consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. There is no applicable revenue threshold. “Consumers” are defined in the CPA to include Colorado residents acting in their individual or household contexts. The CPA excludes individuals acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in an employment context from its definition of “consumer.” “Personal data” under the CPA is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA’s requirements will not extend to de-identified data or publicly available information.
Following are the compliance requirements for CPA:
Consumer Personal Data Rights
A) Request Submitting Methods
The methods for submitting requests do not have to be specific to Colorado if they:
Clearly indicate that the rights are available to Colorado consumers
Provide all data rights to Colorado consumers
Provide Colorado consumers with a clear understanding of how to exercise their rights
Comply with the draft rule’s general notice requirements
B) Opt-Out Requests (Including Opt-Out Link)
Upon receiving an opt-out request, controllers must cease processing the personal data for the opt-out purpose(s) within fifteen days.
A controller must provide an opt-out method “either directly or through a link, clearly and conspicuously in its privacy notice as well as in a clear, conspicuous, and readily accessible location outside the privacy notice.”
If a controller uses a link, the link must take a consumer directly to the opt-out method and the link text must provide a clear understanding of its purpose.
C) Right of Access
Controllers must provide data “in a form that is concise, transparent and easily intelligible, and avoids incomprehensible or unexplained internal identifiers or codes” as a response to access requests.
Controllers must inform the consumer that they have collected information that could create security breaches, that is, government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, an account password, security questions and answers, or biometric data.
D) Right to Correction
Controllers must correct the personal data across all data flows and repositories and implement measures to ensure that the personal data remains corrected.
Controllers also must instruct processors to correct the personal data in their systems.
E) Right to Deletion
Controllers do not have to delete personal data stored on backup systems until that system is restored or is accessed for a sale, disclosure, or commercial purpose.
Controllers that deny a request to delete based on an exception must:
Delete any personal data not subject to the exception.
Provide the consumer with a list of the personal data that was not deleted along with the applicable exception.
Not use the personal data for any other purpose.
The draft rules also add on the data broker deletion exception.
Specifically, controllers that obtain data from sources other than directly from the consumer may comply with a deletion request by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data remains deleted from the consumer’s records and not using such retained data for any other purpose, or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6–1–1304.
F) Right to Data Portability
Controllers will not be required to provide personal data that discloses a controller’s trade secrets when responding to a portability request
G) Authentication
Controllers must establish “reasonable methods” to authenticate requests considering the right exercised, the type, sensitivity, value and volume of the personal data and the level of possible harm that could come from improper use or access.
H) Responding to Requests
If a controller denies a request, it needs to provide a detailed explanation for its decision, including (as applicable): (a) any conflict with federal or state law, (b) the relevant exception to the CPA, © the controller’s inability to authenticate the consumer’s identity, (d) any factual basis for a controller’s good-faith claim that compliance is impossible, or (e) any good-faith, documented belief that the request is fraudulent or abusive.
Universal Opt-Out Mechanism (UOOM)
The purpose of UOOMs is to provide consumers with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with without having to make individualized requests with each controller.
By April 1, 2024, the Office will be required to maintain a public list of UOOMs.
Duties of Controllers
A) Privacy Notices
Controllers need not provide a separate Colorado-specific privacy notice or section of a privacy notice if the privacy notice contains all information required by the rules and “makes clear” that Colorado residents are entitled to the rights provided in section 1306 of the CPA. Notices must be posted online using the word “privacy.”
Controllers must describe each processing purpose “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is necessary for the Processing purpose.”
For each processing purpose, the notice must provide: (a) The categories of personal data processed. (b) The categories of personal